shell script: use sudo inside it vs run it with sudo?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












When writing a shell script, in which some but not all commands in it need superuser privileges, shall I



  • add sudo to those commands which need superuser privileges, and run the shell script without sudo, or


  • don't add sudo to those commands which need superuser privileges, but run the shell script with sudo?


In the second way I will only need to provide my password once, but all the commands in the script will be run with superuser privilleges, including those commands which don't need.



In the first way I may need to provide my password multiple times for different sudo commands, while the superuser privileges are granted only to those commands which need them.



From security concern, the first way is better. For convenience, the second way is better.



I have been thinking of adopting the first way. So I have to deal with the inconvenience of providing my passwords to multiple sudo commands in the shell script.



Stephen Harris wrote at https://unix.stackexchange.com/a/478786/674:




A well written script would detect if it was running with the right permissions and not call sudo at all, but there's a lot of bad scripts




So should I use the second way? If so,



  • how can I write "script would detect if it was running with the right permissions and not call sudo at all"?


  • how can I improve its security to avoid the problem of giving superuser privileges to commands which don't need them when running the script with sudo?


Thanks.






shell-script scripting sudo root







share|improve this question



























    up vote
    1
    down vote

    favorite












    When writing a shell script, in which some but not all commands in it need superuser privileges, shall I



    • add sudo to those commands which need superuser privileges, and run the shell script without sudo, or


    • don't add sudo to those commands which need superuser privileges, but run the shell script with sudo?


    In the second way I will only need to provide my password once, but all the commands in the script will be run with superuser privilleges, including those commands which don't need.



    In the first way I may need to provide my password multiple times for different sudo commands, while the superuser privileges are granted only to those commands which need them.



    From security concern, the first way is better. For convenience, the second way is better.



    I have been thinking of adopting the first way. So I have to deal with the inconvenience of providing my passwords to multiple sudo commands in the shell script.



    Stephen Harris wrote at https://unix.stackexchange.com/a/478786/674:




    A well written script would detect if it was running with the right permissions and not call sudo at all, but there's a lot of bad scripts




    So should I use the second way? If so,



    • how can I write "script would detect if it was running with the right permissions and not call sudo at all"?


    • how can I improve its security to avoid the problem of giving superuser privileges to commands which don't need them when running the script with sudo?


    Thanks.






    shell-script scripting sudo root







    share|improve this question

























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      When writing a shell script, in which some but not all commands in it need superuser privileges, shall I



      • add sudo to those commands which need superuser privileges, and run the shell script without sudo, or


      • don't add sudo to those commands which need superuser privileges, but run the shell script with sudo?


      In the second way I will only need to provide my password once, but all the commands in the script will be run with superuser privilleges, including those commands which don't need.



      In the first way I may need to provide my password multiple times for different sudo commands, while the superuser privileges are granted only to those commands which need them.



      From security concern, the first way is better. For convenience, the second way is better.



      I have been thinking of adopting the first way. So I have to deal with the inconvenience of providing my passwords to multiple sudo commands in the shell script.



      Stephen Harris wrote at https://unix.stackexchange.com/a/478786/674:




      A well written script would detect if it was running with the right permissions and not call sudo at all, but there's a lot of bad scripts




      So should I use the second way? If so,



      • how can I write "script would detect if it was running with the right permissions and not call sudo at all"?


      • how can I improve its security to avoid the problem of giving superuser privileges to commands which don't need them when running the script with sudo?


      Thanks.






      shell-script scripting sudo root







      share|improve this question















      When writing a shell script, in which some but not all commands in it need superuser privileges, shall I



      • add sudo to those commands which need superuser privileges, and run the shell script without sudo, or


      • don't add sudo to those commands which need superuser privileges, but run the shell script with sudo?


      In the second way I will only need to provide my password once, but all the commands in the script will be run with superuser privilleges, including those commands which don't need.



      In the first way I may need to provide my password multiple times for different sudo commands, while the superuser privileges are granted only to those commands which need them.



      From security concern, the first way is better. For convenience, the second way is better.



      I have been thinking of adopting the first way. So I have to deal with the inconvenience of providing my passwords to multiple sudo commands in the shell script.



      Stephen Harris wrote at https://unix.stackexchange.com/a/478786/674:




      A well written script would detect if it was running with the right permissions and not call sudo at all, but there's a lot of bad scripts




      So should I use the second way? If so,



      • how can I write "script would detect if it was running with the right permissions and not call sudo at all"?


      • how can I improve its security to avoid the problem of giving superuser privileges to commands which don't need them when running the script with sudo?


      Thanks.






      shell-script scripting sudo root




      shell-script scripting sudo root






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 1 hour ago









      Vlastimil

      7,0791152126




      7,0791152126










      asked 2 hours ago









      Tim

      24.4k69238426




      24.4k69238426




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          3
          down vote













          To address your first issue:




          how can I write "script would detect if it was running with the right permissions and not call sudo at all"?






          There is a simple and POSIX check for root:



          #!/bin/sh

          AmIRoot()

           [ "$(id -u)" -eq 0 ]



          Alternatively, in Bash, more performance-driven coders might want to use:



          #!/bin/bash

          AmIRoot()



          Note that I intentionally wrapped the code in functions for re-use.



          To address your second issue:




          how can I improve its security to avoid the problem of giving superuser privileges to commands which don't need them when running the script with sudo?




          You can't do much about this. At least nothing comes to my mind. If I saw the script, I might have suggestions. But since you did not include it in your question... If you run the whole script with sudo or as root, I see no way to control this.






          share|improve this answer






















          • sudo -u "$SUDO_USER" command...?
            – Michael Homer
            1 hour ago










          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f479055%2fshell-script-use-sudo-inside-it-vs-run-it-with-sudo%23new-answer', 'question_page');

          );

          Post as a guest

















          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          3
          down vote













          To address your first issue:




          how can I write "script would detect if it was running with the right permissions and not call sudo at all"?






          There is a simple and POSIX check for root:



          #!/bin/sh

          AmIRoot()

           [ "$(id -u)" -eq 0 ]



          Alternatively, in Bash, more performance-driven coders might want to use:



          #!/bin/bash

          AmIRoot()



          Note that I intentionally wrapped the code in functions for re-use.



          To address your second issue:




          how can I improve its security to avoid the problem of giving superuser privileges to commands which don't need them when running the script with sudo?




          You can't do much about this. At least nothing comes to my mind. If I saw the script, I might have suggestions. But since you did not include it in your question... If you run the whole script with sudo or as root, I see no way to control this.






          share|improve this answer






















          • sudo -u "$SUDO_USER" command...?
            – Michael Homer
            1 hour ago














          up vote
          3
          down vote













          To address your first issue:




          how can I write "script would detect if it was running with the right permissions and not call sudo at all"?






          There is a simple and POSIX check for root:



          #!/bin/sh

          AmIRoot()

           [ "$(id -u)" -eq 0 ]



          Alternatively, in Bash, more performance-driven coders might want to use:



          #!/bin/bash

          AmIRoot()



          Note that I intentionally wrapped the code in functions for re-use.



          To address your second issue:




          how can I improve its security to avoid the problem of giving superuser privileges to commands which don't need them when running the script with sudo?




          You can't do much about this. At least nothing comes to my mind. If I saw the script, I might have suggestions. But since you did not include it in your question... If you run the whole script with sudo or as root, I see no way to control this.






          share|improve this answer






















          • sudo -u "$SUDO_USER" command...?
            – Michael Homer
            1 hour ago












          up vote
          3
          down vote










          up vote
          3
          down vote









          To address your first issue:




          how can I write "script would detect if it was running with the right permissions and not call sudo at all"?






          There is a simple and POSIX check for root:



          #!/bin/sh

          AmIRoot()

           [ "$(id -u)" -eq 0 ]



          Alternatively, in Bash, more performance-driven coders might want to use:



          #!/bin/bash

          AmIRoot()



          Note that I intentionally wrapped the code in functions for re-use.



          To address your second issue:




          how can I improve its security to avoid the problem of giving superuser privileges to commands which don't need them when running the script with sudo?




          You can't do much about this. At least nothing comes to my mind. If I saw the script, I might have suggestions. But since you did not include it in your question... If you run the whole script with sudo or as root, I see no way to control this.






          share|improve this answer














          To address your first issue:




          how can I write "script would detect if it was running with the right permissions and not call sudo at all"?






          There is a simple and POSIX check for root:



          #!/bin/sh

          AmIRoot()

           [ "$(id -u)" -eq 0 ]



          Alternatively, in Bash, more performance-driven coders might want to use:



          #!/bin/bash

          AmIRoot()



          Note that I intentionally wrapped the code in functions for re-use.



          To address your second issue:




          how can I improve its security to avoid the problem of giving superuser privileges to commands which don't need them when running the script with sudo?




          You can't do much about this. At least nothing comes to my mind. If I saw the script, I might have suggestions. But since you did not include it in your question... If you run the whole script with sudo or as root, I see no way to control this.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 1 hour ago

























          answered 1 hour ago









          Vlastimil

          7,0791152126




          7,0791152126











          • sudo -u "$SUDO_USER" command...?
            – Michael Homer
            1 hour ago
















          • sudo -u "$SUDO_USER" command...?
            – Michael Homer
            1 hour ago















          sudo -u "$SUDO_USER" command...?
          – Michael Homer
          1 hour ago




          sudo -u "$SUDO_USER" command...?
          – Michael Homer
          1 hour ago

















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f479055%2fshell-script-use-sudo-inside-it-vs-run-it-with-sudo%23new-answer', 'question_page');

          );

          Post as a guest
































































          Comments

          Post a Comment

          Popular posts from this blog

          White Anglo-Saxon Protestant

          Image
          White Anglo-Saxon Protestants ( WASPs ) are a social group of wealthy and well-connected white Americans, of Protestant and predominantly British ancestry, who trace their ancestry to the American colonial period. Until at least the 1960s, this group has dominated American society and culture and dominated in the leadership of the Whig and Republican parties. They usually are very well placed in major financial, business, legal and academic institutions and had close to a monopoly of elite society due to intermarriage and nepotism. [1] During the latter half of the twentieth century, outsider ethnic and racial groups grew in influence and WASP dominance weakened. Americans are increasingly criticizing the WASP hegemony and disparaging WASPs as the epitome of "the Establishment". The Random House Unabridged Dictionary (1998) says the term is "Sometimes Disparaging and Offensive". [2] [3] The term WASP is often used as a pejorative to classify their historical dom...
          Read more

          Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. ...
          Read more

          One-line joke

          A one-liner is a joke that is delivered in a single line. A good one-liner is said to be pithy - concise and meaningful. [1] Comedians and actors use this comedic method as part of their act, e.g. Jimmy Carr, Tommy Cooper, Rodney Dangerfield, Norm Macdonald, Ken Dodd, Stewart Francis, Zach Galifianakis, Mitch Hedberg, Anthony Jeselnik, Milton Jones, Shappi Khorsandi, Jay London, Mark Linn-Baker, Demetri Martin, Groucho Marx, Dan Mintz, Emo Philips, Tim Vine, Steven Wright and Henny Youngman and Arnold Schwarzenegger. [ citation needed ] Many fictional characters are also known to deliver one-liners, including James Bond, who usually includes pithy and laconic quips after disposing of a villain. [ citation needed ] Examples "A baby seal walks into a club." "A dyslexic man walks into a bra." (Anonymous) "There are three types of people, those who can count and those who can't." "Venison's dear, isn't it?" (Jimmy Carr) "An escala...
          Read more